Error: DNS problem: query timed out looking up CAA

tombpl · April 18, 2018, 3:55pm

We continually get this error when trying to get a cert.

My domain is: culturepass.nyc

I ran this command: certbot certonly --webroot -w /var/www/html/bplnop -d culturepass.nyc -d www.culturepass.nyc

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for culturepass.nyc
http-01 challenge for www.culturepass.nyc
Using the webroot path /var/www/html/ for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.culturepass.nyc (http-01): urn:acme:error:dns :: DNS problem: query timed out looking up CAA for www.culturepass.nyc, culturepass.nyc (http-01): urn:acme:error:dns :: DNS problem: query timed out looking up CAA for culturepass.nyc

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.culturepass.nyc
   Type:   None
   Detail: DNS problem: query timed out looking up CAA for
   www.culturepass.nyc

   Domain: culturepass.nyc
   Type:   None
   Detail: DNS problem: query timed out looking up CAA for
   culturepass.nyc

My web server is (include version): apache

The operating system my web server runs on is (include version): RHEL

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

sahsanu · April 18, 2018, 4:10pm

Hi @tombpl,

This is the error and this is what you need to solve:

DNS problem: query timed out looking up CAA for www.culturepass.nyc, culturepass.nyc

None of your authoritative name servers, neither ns1.hvdata.net nor ns2.hvdata.net answer requests to get CAA record for your domain.

 $ dig @ns1.hvdata.net culturepass.nyc caa

; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.hvdata.net culturepass.nyc caa
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig @ns2.hvdata.net culturepass.nyc caa

; <<>> DiG 9.10.3-P4-Debian <<>> @ns2.hvdata.net culturepass.nyc caa
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Since last september, all CAs (like Let’s Encrypt) MUST check whether your domains have defined CAA records or not, there is no need to have a CAA record but your dns server should answer with NXDOMAIN, NOERROR or similar but never with an error or giving a timeout to the request.

You shoud talk about this with your dns provider.

Cheers,
sahsanu

tombpl · April 18, 2018, 4:27pm

Thanks sahsanu. Will check with our DNS provider.

system · May 18, 2018, 4:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.